1) Overview
Tokra engages certain third-party service providers as Subprocessors to help operate, secure, and support the Service. Each Subprocessor is bound by written terms that are no less protective than Tokra’s commitments in the DPA, including confidentiality, security controls, and restricted purposes. Tokra does not sell personal data.
International transfers may occur and are protected by appropriate safeguards (e.g., EU SCCs, UK IDTA/Addendum) and Transfer Impact Assessments, as described in the DPA / Privacy Policy.
Sovereign Mode. If a later Sovereign Addendum is executed, applicable residency/localization constraints for the covered product will override this page for that scope.
2) Subprocessor Categories & Typical Purposes
The live, up-to-date list (by category) appears below. Tokra may use one or more providers in each category, and may change providers over time.
| Category | Purpose | Typical Data Processed | Processing Region | Typical Retention/Deletion |
|---|---|---|---|---|
| Hosting / Cloud (IaaS/PaaS) | Run infrastructure, storage, backups, networking | Operational data and encrypted Customer Content | Global as needed | Per internal backup/rotation schedules |
| CDN & Edge | Content delivery, caching, acceleration, DDoS/WAF | Request metadata (e.g., IP, headers) | Global/Regional | Session/short-term |
| Email & Transactional Messaging | System emails, verifications, notifications, support mail | Email addresses, message metadata | Global | As required for deliverability/compliance |
| Payments | Billing, subscription collections, invoicing | Billing metadata (Tokra does not store card PANs) | Per payment provider | As required by finance/tax laws |
| Performance & Crash Monitoring | Reliability, error reporting, telemetry minimization | Metrics, stack traces (minimized/pseudonymized where feasible) | Global | ~1–12 months |
| Security & Anti-Fraud | Abuse detection, credential protection, threat intel | Security logs/signals, risk scores | Global | Minimal/short; policy-bound |
| Analytics (opt-in) | Non-essential usage analytics | IDs/cookies (with consent), page/app events | As configured | ~1–13 months |
| Support / Helpdesk | Ticketing, attachments, customer care | Ticket details, contact info, diagnostics | Global | Per support policy/closure windows |
| Release / Distribution | SDK/package delivery, updates | Technical distribution metadata only | Global | Product lifecycle |
| Identity & Access Tools (internal) | SSO, IAM, secrets and key management | Auth metadata, service principals | Global | Per key/secret rotation and audit rules |
| Backup & DR Services | Encrypted backups, continuity | Encrypted datasets, indexes | Regional/Global | Rotation/overwrite on schedule |
Provider names Tokra publishes categories publicly. Where needed, specific provider names can be shared under NDA or upon a legitimate customer request.
3) Change Management, Notice & Objection (per DPA)
Advance notice. Tokra will provide reasonable advance notice (at least 10 business days where feasible) before adding a material new Subprocessor category or materially changing how a category processes Customer Personal Data.
How to receive notices. Email legal@tokra.ai or privacy@tokra.ai with the subject “Subscribe: Subprocessor Updates”.
Customer objection. Within 10 business days of notice, a Customer may object on reasonable privacy/security grounds. Tokra will work in good faith to propose an alternative or mitigation. If no reasonable alternative exists, the Customer may terminate the affected portion of the Service without penalty for prepaid unused fees, as set out in the DPA.
4) Security, Confidentiality & Compliance
- All Subprocessors must implement technical and organizational measures comparable to Tokra’s TOMs (see DPA Annex II).
- Limit processing to documented instructions and the purposes stated above.
- Ensure confidentiality and trained personnel.
- Support Tokra’s cooperation with supervisory authorities and lawful requests, consistent with the DPA.
5) Questions
For questions about this page or to request provider names under NDA: legal@tokra.ai.
Privacy/DPO contact: privacy@tokra.ai.